MORE THAN HALF OF BUSINESSES IN BANKING AND FINANCE DON’T HAVE A DATA RETENTION POLICY – ARE THEY HEADING FOR TROUBLE?

In your experience are businesses in the banking and finance sector getting to grips with data retention – in particularly around what data to keep and what to destroy?

Mike Dunleavy

“Unfortunately the answer has to be no, judging from a survey recently conducted by Crown Records Management.

“We found that more than half, 51 per cent, do not have a policy in place for email data retention. And heading towards three-quarters (71%) do not have systems that enable them to differentiate between a record (that must be retained) and other data. That’s a big concern given that the amount of data is increasing dramatically year on year. It indicates there could be some real challenges ahead.”

Were there any other findings of the survey which caught your eye which might be relevant to the finance sector?

“The results also showed that more than half of IT decision makers surveyed in the banking and finance sector (57%) do not audit their paper-based data regularly or destroy anything that’s no longer required.Additionally, closing on two-thirds (61%) do not regularly review what data is stored in the cloud or on-site. Two-thirds (65%) do not filter what goes into the cloud at all. That’s not good news.”

Is this situation going to get worse in the near future?

“I believe it is. With the amount of data exploding by the day, new regulations on the way and breaches growing in frequency, the window of opportunity to get a watertight records management policy in place is closing quickly. In fact it may well be gone by 2020.

Why do you say that?

“Because a secondary explosion is inevitable by then – in a future where social media data is regarded as a record and the internet will leave everyone drowning in information.”

So is your concern that businesses simply aren’t aware of some of the pitfalls which lie ahead?

“It is. These results suggest businesses still aren’t wising up to the importance of basic common-or-garden records management principle despite the high level of publicity for breaches at the likes of TalkTalk and Carphone Warehouse.

“In 2016, businesses of all kinds, and especially in the finance sector, should know exactly what data they have and where it is. They’ll certainly need a retention policy in place to determine what information to keep or destroy. In fact, data retention policies are going to be more important than ever because holding on to unnecessary data could end up costing a lot of money in the long-term.”

What changes and trends in future could complicate the agenda?

“It’s all about the amount of data, which is increasing all the time, and the demand for it to be edited, deleted and protected. The current generation, Generation Y, is just starting to realise how powerful their digital footprint can be, for good or bad. Already it can follow you for a very long time and have a huge effect on your life.

“Inevitably they will become even more aware of this over the coming years, getting savvy about the power of data, and they will want more control. The demand for altering and deleting personal data is only going to grow. So if you are storing unnecessary data it could end up costing you.”

What about changes in legislation?

“The EU General Data Protection Regulation is one to look out for. It will bring huge fines for data breaches and you can be pretty certain the regulators will want to come down hard on the first few companies that breach the regulations when they eventually arrive, mostly likely in 2018. They will want to show it’s not all hot air and bureaucracy. They will want to jolt people into action.”

What can businesses do to prepare?

“As data continues to grow, thanks to globalization, social media feeds, and increased digital processes and interaction with customers, the task of managing data is only going to become more difficult. So it’s important to act now to wrestle control. Appoint a records manager or Data Protection Officer and have a data retention policy in place.”

But where would you start? For some businesses it might prove a challenge?

“Not knowing where to start is not an excuse not to start. Instead, approach the task in bite-sized chunks, document type by document type or department by department. Managing data effectively begins with knowing what data you have and then establishing a robust, compliant and well-implemented retention schedule.

“Make the application of your information management schedule part of your employee induction programme and part of your disciplinary process. This will clearly state how important keeping data safe is to the company. Embed records management into your day to day business, ensuring there is Board-level buy-in.”

Presumably, avoiding data breaches is going to take significant training?

“It will. Businesses should conduct regular staff training and updates; a persistent reminder of the importance of data is an effective guard against human error.

“With the EU General Data Protection Regulation on the way, pay particular attention to retention schedules for personal data – there will be an increasing need to know where personal data is, how you access it, how you can prove you can correct it or delete it, and have permission to use it for certain purpose.”

So, is it all about scaring businesses into action to deal with the problem?

“Not at all. Data retention is often viewed as being all about compliance, risk management and avoiding fines. But the real challenge is to look at data management not in terms of business cost or business risk, but as a business opportunity. In future companies with a good record of handling personal data will be more attractive to consumers; it may well become one of the most important ways they compare businesses.

“Businesses need to think now about protecting their brand, about how data affects customer experience and about how data needs to be continuously monitored. Realising the value of data in the modern world is what really matters.”